Safety in 2028: Predicting the Safety Level of Future Standards
This paper was presented at Berlin 2018, the International Congress on Vertical Transportation Technologies, and first published in IAEE book Elevator Technology 22, edited by A. Lustig. It is a reprint with permission from the International Association of Elevator Engineers (www.elevcon.com).
Standards evolve all the time: for example, there are major differences between the first EN 81-1 and the latest EN 81-20. Most changes are initialized by “major events”: faults are discovered, new visions are created, major accidents happen or new technologies disrupt the industry. Furthermore, other industries can act as a precursor for the lift industry. However, if we analyze changes to the standards throughout time and find their causes, we can make a prediction regarding future changes. In particular, we can determine what the coming challenges are for the lift industry.
Standards evolve all the time. If we look back, we can find some major differences between “then and now.” The standards committees always follow one golden rule: it shall become safer. It is not permissible for new rules to create a cost advantage while at the same time create a safety disadvantage. Because of this approach, there is always a way forward in safety, and, as explained earlier, this makes it possible to analyze changes.
A change in the standard for a higher safety level needs a “catalyst,” a kick against current views that shakes up the existing knowledge and opens new roads. The history of lifts tells us that there are four ways of changing the standard:
- Accidents. This is the most direct way of changing standards.
- Combining standards, as we did to create the first EN 81 standard.
- A fault is discovered/new visions are created. This mostly happens when other standards or industries react to accidents or problems.
- New disruptive technologies. Most of the time, these originate in other industries, such as the use of carbon fiber in the aerospace industry.
Accidents happen, and, unfortunately, we are not able to make perfect systems. There is no central database of accidents involving lifts, so reliable statistics are almost impossible to collate. However, Liftinstituut has a record of almost all accidents in the Netherlands, so statistics are possible for this country. In the Netherlands, the overall level of safety is high, and inspections are mandatory by law, so a lack of maintenance is almost impossible. But this is not representative of all countries that use EN 81. Although the standard assumes that maintenance and inspections are performed, experience and data prove something different.
Both document and internet research were carried out for lift accidents in countries using EN 81 to get worldwide data. The aim was to find accident trends, then check if standards changes were made as a result of accidents and for any unresolved issues. It was impossible to gather 100% coverage of all accidents, because some reports were in a language we did not know, and a lot of accidents are not reported, because nobody wants bad publicity for their brand.
There are no requirements on reporting an accident or near-accident, but both can create very powerful data about nonconformity. This sort of central reporting system is available and used in other markets and industries. Numbers of very minor crashes around the world, however, have a negative impact on the reliability of the statistics. It was also hard to interpret some articles, because a combination of several sources was used to identify the cause of the accident.
Accidents where people were only slightly injured were hard to find. This was probably because the press does not find it interesting enough to write an article about it. Therefore, accidents involving only those who were slightly injured have been kept out of this investigation. In the end, a group of 200 lift accidents worldwide for which the cause of the accident was clear enough was investigated. In this group, 44 people died, and 64 people were badly injured. The following statistics and conclusions could be drawn from this.
Most major accidents (20%) were due to maintenance. Crushing came second, at 18%, and human error, at 11%. These three together account for approximately half of all errors, so this will be the first focus.
It is common knowledge that performing maintenance on lift systems is dangerous, but the number of accidents remains high, especially as the exposure time to this danger is a factor of at least 1,000 lower than normal use. In the new EN 81, there are multiple measurements that will increase safety for maintenance personnel. For example:
- More free space
- Pit inspection boxes
- Stronger demands on pit ladders
The result of these increased safety measures is yet to be determined. There should be a plan available to monitor such data and to check if the measures have led to the desired result.
The second problem is people being crushed. In crushing accidents, we find that more than 50% of all instances are deadly, and that all badly injured people typically lost a finger or hand because of the doors. Protective devices for power-operated doors are stricter in EN 81-20: they have to be able to detect objects with a minimum of 50 mm diameter. However, it is not yet considered to be a safety component, which means that the proper working of the device is not checked. It will be found on inspections, but, again, it is not a safety device, so the maintenance of it is not mandatory. The future will show if such token actions are enough.
In this group, 50% involve elderly people with mobility devices who have problems with doors. Electric mobility devices are equipped with strong electric motors that can easily damage doors in a hard impact. Such an impact was never considered in the old standards, but, since EN 81-20, stronger demands have been placed on doors. More people are living longer, so lifts need to take that into account. The speed and stability of elderly people should also be considered in the new standard. For example, in the Netherlands, an elderly woman was pushed by a door that generated only 4 J. The light curtain was bridged, because it took her too long to get in the car, and she ended up with a broken hip. Technical solutions are possible, and, due to the growth of this group of lift users, they should — and will — be considered more.
Technical errors mostly occur in countries without inspections. Bridged contacts or missing safety devices account for the majority of failures, but educating lift workers can reduce these problems. There is a trend for this, and the EN-13015 standard is currently being updated. For now, however, it is important that failures resulting from a lack of maintenance and/or inspection do not affect the norm itself directly. This could lead to a wrong focus that might actually increase the difficulty and costs of the system without directly adding any value to safety.
Already Achieved Results
There is a successful example of norm improvement: a few years ago, unintended car movement (UCM) protection was introduced in the EN 81-1/-2 standards. This was prompted by an increased number of accidents involving unintended movements caused by brake failures in lifts with variable speed control. From the data, it appears that the UCM was always in lifts without this feature. Due to the lack of data points, it is too soon to conclude that we have fully succeeded in this area, but, for now, it looks like we are moving the right way.
Combination of Standards
The Dutch NEN-1081 standard is one of the original standards of the modern EN 81 series. Its combination with the German and Scandinavian standards resulted in a new European standard. Because they were developed in single countries, however, these standards had differences. For example, in the Netherlands, it was mandatory that shaft pits be waterproof, as most of the country sits below sea level. Those demands remain in the modern EN 81 series. Also, there is an assumption of 75 kg per person, but, in Asia, different weights are being used. For example, in India, the assumption for the average weight of one person is 68 kg. The safest demand is probably one that will satisfy everybody and be kept.
Markets that have already undergone digitalization are now facing new problems. If someone told you in 1980 that your car could be hacked, you would not believe them. Nowadays, cars get over-the-air updates, and internet security has become a real thing. For example, a car had a weak point in its Wi-Fi’s security, and attackers could switch off the alarm. This is a security risk and not yet a safety failure, but how far can we go? With the Meltdown and Spectre weaknesses that affect Intel, AMD, and ARM processor designs, almost everything is vulnerable. It is not unthinkable that, by hacking the car, the indicator signals or the brakes, which are controlled by the software in the processor, can be disabled. Similar hacking has already occurred at nuclear installations in Iran. Stuxnet was developed to crash the country’s enrichment centrifuges so that it became very hard to refine uranium. This was one of the most spectacular uses of targeted computer viruses.
Digitalization is a trend in the market. Liftinstituut conducted a survey with their partners and found that 90% are planning to work with Programmable Electronic Safety Systems (PESSes) more often. This number is astonishingly high and presents a dilemma: a big lift company can become open to extortion. For example, an attacker may demand, “You’d better pay, or we will crash a random lift.” It is most likely that, in the future, EN 81 will evolve into a cyber security standard.
In geared machines, there is always a small amount of slack in the transmission. As the machine wears down, the slack increases. When the slack increases, the teeth of the gears get shorter, increasing the forces inside the machine. The question becomes, “With what amount of slack will the force on the teeth be too big to maintain safety?” For now, lift machines are not considered a safety component, and problems are tackled by over-dimensioning the system. Also, inspection parties follow a rule of thumb that has proved itself over time, which is, when the clearance is greater than X, the system is rejected and removed from service.
Current market conditions force lift companies to create cheaper machines, leading to changes in materials and safety factors. A modern machine does not look anything like the big machines of the past. But, this has a direct influence on the rule of thumb. How can we be sure it is still valid? Liftinstituut is currently creating a mathematical model especially for lift transmissions that, in time, will lead to an update of the standard.
Mechanical Meets Electronic
We are currently designing a safety function that influences the safety line. For PESS, we calculate the chance of failure of a safety system. We start at the sensor(s), then go to the processor, ending up in the actuators that cut the safety line. But, the safety line is not the end actuator — the brake is. Ideally, the probability of brake failure should be included in the failure calculations, as well. At the moment, there are some minor mathematical tools available: ISO-13849-1/2 can help, but this is a machine directive standard, mainly written for systems that operate 24/7. The issue itself is already recognized by the market, and the working groups are also wrestling with the problem. For now, the solution seems to be to divide the failure chance 50/50 between mechanical and electronic.
Assumptions are not bad, but real calculations can increase safety. The Netherlands Institute for Elevator Engineering Foundation, a shareholder of Liftinstituut, recently financed a PhD student who investigated this cause. The main goal was to find a mathematical way whereby systems consisting of electronic and mechanical safety components can be calculated together. The results are promising and, once finalized, will be put on the market.
This paper shows there is a link between the history and future of standards, but, to reach its conclusions, some assumptions were made. These are:
- All changes that were made in the standard were to improve safety. It is impossible to statistically prove this point, because there is not enough data for a proper investigation.
- We fully trust that those people involved in the standard committees are there with the best safety intentions and not to promote any hidden agendas.
- This investigation was done in the here and now. In four years’ time, a whole new technology could disrupt everything we know about lifts. This is exactly what happened to the hotel market with the introduction of Airbnb.
- Only a small part of the latest research is known by Liftinstituut.
It is impossible to include everything in this article.
The third point is an open and potentially especially dangerous point. What if the disrupter is so big that the standards cannot apply at all? Some new concepts are already worth a discussion: is it a lift or a machine? Or, if a drive system does not have ropes, which safety factor do we need for the new drive system, and how can we prove that the system is just as safe as one using normal ropes? The world is changing faster and faster, so will there ever come a time when the development cycle of new technologies outpaces the development of standards? There is no historical data available about this issue, because it has not yet happened. But, it is not unthinkable, as standards are directly connected to new technologies. As a possible solution, standards could be made more general. Linking specific standards is also a solution, and this process is already happening — the new EN 81-20 will probably point directly to the IEC-61508. And, as a last solution, the directive is available. Standards will always be a little behind cutting-edge technology, but they will always be usable.
The world is changing faster than ever, and so is the lift industry. We are facing an era of digitalization, data analyses and globalization. We already know that American and European standards will come together, but a full merger is way ahead. In fact, the first points are already merging together. If you design systems for the future, use the safest parameter of the standards, and you will be fine.
The data analyses of accidents have shown that we probably did improve in the right way but that there is still a lot to learn. We should monitor, preferably centrally, lift accidents so that we can act on them. In this way, we can increase the safety impact of any updates. It is, of course, impossible to say where and when accidents will happen, but it is certain that they will and that they will have a serious impact.
For the coming update, PESS will bring a major change, mostly because mechanical components (i.e., the brake) will be part of the safety function. This is a major change in philosophy. Over- dimensioning is not enough anymore, and, in the future, calculations will be closer to reality than ever. Of course, nothing is ever sure, but we at Liftinstituut trust that the future will be safer than ever with a more generic focus on standardization.